• Welcome, Guest! We hope you enjoy the excellent technical knowledge, event information and discussions that the BMW MOA forum provides. Some forum content will be hidden from you if you remain logged out. If you want to view all content, please click the 'Log in' button above and enter your BMW MOA username and password.

    If you are not an MOA member, why not take the time to join the club, so you can enjoy posting on the forum, the BMW Owners News magazine, and all of the discounts and benefits the BMW MOA offers?

  • Beginning April 1st, and running through April 30th, there is a new 2024 BMW MOA Election discussion area within The Club section of the forum. Within this forum area is also a sticky post that provides the ground rules for participating in the Election forum area. Also, the candidates statements are provided. Please read before joining the conversation, because the rules are very specific to maintain civility.

    The Election forum is here: Election Forum

Club data security concerns (from elsewhere)

kbasa

kbasa

Well-known member
I've tried asking this question elsewhere and got roundly dissed and blown off by OM, so I'm escalating this for visibility. He's not willing to provide an answer, so I'm hopeful that someone will deal squarely with me and answer my inquiries.

Omega Man said:
vBulletin 5 is most likely not the answer- https://www.theadminzone.com/threads/why-do-people-still-hate-vbulletin-5.154064/

No real need to keep bringing it up.

OM
Click to expand...

v6, their current version, is what we want, not 5. 5 was introduced in 2013 and got sunsetted last month.

Moreover, please don't dismiss me; it's insulting and unprofessional. I'm going to keep bringing it up because I'm not getting responses to my question other than "we'll get right on that", delivered with sarcasm by Henzilla when I asked about updates, or the dismissive response you just served up. If you are not willing to respond to the membership's questions, maybe being part of club leadership isn't for you. You, as part of leadership, are accountable to the membership and it is expected that you will deal earnestly with member questions and comments. This post does not meet that standard of respect and obligation to the membership in my opinion. As I was regularly reminded while serving the club "officers work for the members, not the other way around".

I started by wondering why we don't have a like button, but some investigation reveals that we are not on the most secure version of our forum software. It's almost 7 years since v4.2.5 version was discontinued by vB. For those not following along, that means that we likely haven't had a security patch since then, at the most recent. Would you trust your bank to be sitting on security they put in place back then?

I'm a club member and an IT professional. IT security means keeping software up to date and applying all patches should be our standard process. We are on a version that was EOL'd in 2017. Is that good IT hygiene? No. It is not. Is there a two factor authentication option to protect my credentials and prevent them from being poached? No, there is not. Do we have Okta integration like other forums I'm on? No we don't.

If there were a breach, those gaps will be what torpedoes us and exposes us to highly avoidable lawsuits. We have not done due diligence to protect member data, as far as I can see, so we will be found responsible in any legal action resulting from a data breach or loss. I hope I'm wrong, but I believe that I am not, having seen our scenario play out for the worse with some of my clients. If you wind up in court and the plaintiff points out that the organization is using a software product that's ten years out of date and has known security gaps, we will be held responsible for the members' loss of privacy. It will not be cheap when plaintiffs demonstrate that we knew we were using old software and didn't remediate an obvious risk vector.

My largest concern is that 4.x is vulnerable to code injection, which means that folks can gain direct access to the data tables on vB, among other items, including user credentialing and PII. I have supported other SQL based web enabled products that have been subject to this potential exploit, but not in almost ten years because everyone has shut the door on that type of hack. Do we want to get ransomewared? Because this is how we get ransomewared. Do we want to expose our membership to identity theft? Because this is how we do that, too.

I work for a company that responds to data breaches and you do not want to expose this organization to even the tactical cost of remediating this kind of event, much less the litigation exposure. Every document or record potentially exposed is typically analyzed for PII manually, by a room full of lawyers, and those who've had their PII exposed get a notice that this has occurred. Is that financial and reputational risk something we should be exposing this organization to?

Do we have the money to buy every member a year's membership in LifeLock once their data is breached? I expect that we do not have the financial wherewithal to do that if we have a breach and it may destroy the club if we're not insured for such an occurrence. Civil litigation from data breaches is a real thing. I work in that sphere where IT and the law intersect.

So. Can I please get a responsive and informative answer to my question? I'm not violating any forum rules and have been unfailingly polite. I expect an answer in kind.

Here it is again: Why haven't we updated our forum software?

Feel free to escalate to one of the admins, presuming you're a mod, or someone on the BoD, if appropriate, and I'm happy to have a conversation via PMs if that's helpful. As a paying member, I believe I have a right to a full and accurate answer to my query.

We have a fiduciary responsibility to proactively protect the data our members entrust us with. I think that as part of that trust obligation, it's fair to ask questions about how we treat, manage and protect member data. Not getting a response feels like you're not responding in good faith to a straightforward and important question.

I will keep asking about this until we are provided a coherent, clear answer to why we are so far behind on updates. I apologize if that feels antagonistic, but blowing me off really pisses me off when I ask an honest, good faith question. I should, at minimum, be able to expect a response in kind. I've sat in the Big Seat and it was my duty and obligation to respond in good faith to questions from the membership.

Thank you.

Dave

Dave Swider
teamkbasa@comcast.net
 
mikegalbicka said:
Thank you Dave. I couldn't agree more with ALL of your feelings.
Click to expand...

Sometimes, someone has to be the unreasonable man. As George Bernard Shaw wrote, "All progress depends on the unreasonable man", so I guess I get to be that guy until someone decides to give us an answer.
 
kbasa said:
Sometimes, someone has to be the unreasonable man. As George Bernard Shaw wrote, "All progress depends on the unreasonable man", so I guess I get to be that guy until someone decides to give us an answer.
Click to expand...

I have tried to be at times to no avail. Here is hoping your past service will provide the pull needed to get some type of answer. Continuing to kick this can down the road is not the proper one however.

I have spent 30 years in IT, the last 17 as Information Services Director of a good sized network. In all that time I have belonged to only one forum I had to pay for. This one. It shocked me when I learned I would have to but I thought I would give it a chance. I am sad to say I feel most of the free ones I belonged to did a better overall job than the one I am paying for in many respects.

I do appreciate all the hard work that goes on behind the scenes but some things are happening that just shouldn't IMHO.
 
mikegalbicka said:
I have tried to be at times to no avail. Here is hoping your past service will provide the pull needed to get some type of answer. Continuing to kick this can down the road is not the proper one however.

I have spent 30 years in IT, the last 17 as Information Services Director of a good sized network. In all that time I have belonged to only one forum I had to pay for. This one. It shocked me when I learned I would have to but I thought I would give it a chance. I am sad to say I feel most of the free ones I belonged to did a better overall job than the one I am paying for in many respects.
Click to expand...

Then you and I both know what a threat code injection in web facing SQL can be. I hope we're not alone.

FWIW, this has been "reported" so hopefully we'll see some response from folks with insight into our IT security posture and what we're doing to keep vB safe. I guess that if we don't, I'll have to keep asking.
 
mikegalbicka said:
I have belonged to only one forum I had to pay for. This one. It shocked me when I learned I would have to but I thought I would give it a chance.
Click to expand...

I agree with Dave's original post. But I do take issue to this statement about paying to belong to a forum.

Payments are dues to belong to the organization, the BMW MOA. That of course includes all of the activities of the club. The rallies, getaways, anonymous book and app, and everything else including friends that make up belonging to a club.
 
mikegalbicka said:
I have tried to be at times to no avail. Here is hoping your past service will provide the pull needed to get some type of answer. Continuing to kick this can down the road is not the proper one however.

I have spent 30 years in IT, the last 17 as Information Services Director of a good sized network. In all that time I have belonged to only one forum I had to pay for. This one. It shocked me when I learned I would have to but I thought I would give it a chance. I am sad to say I feel most of the free ones I belonged to did a better overall job than the one I am paying for in many respects.

I do appreciate all the hard work that goes on behind the scenes but some things are happening that just shouldn't IMHO.
Click to expand...


The MOA Forum is a member benefit, like the ON, member discounts at the National Rally, and so on. So, I can see that in a way you might think you are paying for this access, but it is really bundled with the membership, and hopefully, you find more value in your membership than just this forum. :brow

Having said that, and also having spent 30+ years in IT, mostly as a IT Director, I agree with you and Dave about the need for an upgraded forum platform. The volunteer Forum team is due for better tools. There was a time when the Forum Administrator gave a report on the Forum to the Board at every Board meeting. That was discontinued some years ago, and I think it is one of several things the club has stopped doing which should be reinstated.
 
I am sorry, I should have been clearer. The only benefit I really wanted was access to the forum and tech articles, etc. when I joined. The rest I could live without but yes they are an additional benefit.
 
mikegalbicka said:
I am sorry, I should have been clearer. The only benefit I really wanted was access to the forum and tech articles, etc. when I joined. The rest I could live without but yes they are an additional benefit.
Click to expand...

I suspected that, but you are surely not alone in seeing that much value in the content on this forum, so all the more reason for the club to invest in it.
 
We have looked at making upgrades to the forum software and evaluate our current platform regularly. The last time we discussed it with the vB resource who helps manage our forum installation, the decision was made to stick with vB4 vs. vB5. vB5 has numerous bugs and security issues and was generally not as good as vB4. We took that advice and stuck with the status quo.

As part of that conversation, the recommendation was made to move to XenForo, which the forum team supported and is waiting patiently to have installed. The hold-up is our current Member Management Software that administers usernames and passwords for the forum so that members enjoy single-site login (an issue we experienced previously if you were here for the change to new software in 2014 or so.) Our current MMS does not clearly integrate with XenForo and rather than waste a bunch of money to determine if we could find a patch, we decided to wait for a new Member Management System installation that we do know integrates with XenForo. The MMS project has not happened as fast as we originally thought and therefore the forum migration seems less timely than when we first considered making the change.

vB6 appears to have been released just recently (8/23) and I have not investigated vB6 as an alternative. I will look into it and see if that is a short-term alternative until we have the other projects resolved that allow a change to XenForo. Installing the new MMS is a current project for the latter half of this year and I expect it to be complete by Spring or sooner if it goes smoothly. If that is the case, the migration to XenForo is fairly quick.

You can direct your comments and feedback to me. The Forum team does not deserve the criticism. If you have deep experience in forums and want to discuss, give advice or generally help out, give me a call and we can discuss (205-999-9366). Or, provide a convenient time and I will call you (ted@bmwmoa.org). Either way, everyone wants the best solution for the forum and our members. Sometimes change is slower than we expect, but we do expect to make an upgrade soon.
 
t2moyer said:
We have looked at making upgrades to the forum software and evaluate our current platform regularly. The last time we discussed it with the vB resource who helps manage our forum installation, the decision was made to stick with vB4 vs. vB5. vB5 has numerous bugs and security issues and was generally not as good as vB4. We took that advice and stuck with the status quo.

As part of that conversation, the recommendation was made to move to XenForo, which the forum team supported and is waiting patiently to have installed. The hold-up is our current Member Management Software that administers usernames and passwords for the forum so that members enjoy single-site login (an issue we experienced previously if you were here for the change to new software in 2014 or so.) Our current MMS does not clearly integrate with XenForo and rather than waste a bunch of money to determine if we could find a patch, we decided to wait for a new Member Management System installation that we do know integrates with XenForo. The MMS project has not happened as fast as we originally thought and therefore the forum migration seems less timely than when we first considered making the change.

vB6 appears to have been released just recently (8/23) and I have not investigated vB6 as an alternative. I will look into it and see if that is a short-term alternative until we have the other projects resolved that allow a change to XenForo. Installing the new MMS is a current project for the latter half of this year and I expect it to be complete by Spring or sooner if it goes smoothly. If that is the case, the migration to XenForo is fairly quick.

You can direct your comments and feedback to me. The Forum team does not deserve the criticism. If you have deep experience in forums and want to discuss, give advice or generally help out, give me a call and we can discuss (205-999-9366). Or, provide a convenient time and I will call you (ted@bmwmoa.org). Either way, everyone wants the best solution for the forum and our members. Sometimes change is slower than we expect, but we do expect to make an upgrade soon.
Click to expand...


Yes, I remember CF in 2014 - it was not good. Thanks for the explanation, Ted.
 
t2moyer said:
We have looked at making upgrades to the forum software and evaluate our current platform regularly. The last time we discussed it with the vB resource who helps manage our forum installation, the decision was made to stick with vB4 vs. vB5. vB5 has numerous bugs and security issues and was generally not as good as vB4. We took that advice and stuck with the status quo.

As part of that conversation, the recommendation was made to move to XenForo, which the forum team supported and is waiting patiently to have installed. The hold-up is our current Member Management Software that administers usernames and passwords for the forum so that members enjoy single-site login (an issue we experienced previously if you were here for the change to new software in 2014 or so.) Our current MMS does not clearly integrate with XenForo and rather than waste a bunch of money to determine if we could find a patch, we decided to wait for a new Member Management System installation that we do know integrates with XenForo. The MMS project has not happened as fast as we originally thought and therefore the forum migration seems less timely than when we first considered making the change.

vB6 appears to have been released just recently (8/23) and I have not investigated vB6 as an alternative. I will look into it and see if that is a short-term alternative until we have the other projects resolved that allow a change to XenForo. Installing the new MMS is a current project for the latter half of this year and I expect it to be complete by Spring or sooner if it goes smoothly. If that is the case, the migration to XenForo is fairly quick.

You can direct your comments and feedback to me. The Forum team does not deserve the criticism. If you have deep experience in forums and want to discuss, give advice or generally help out, give me a call and we can discuss (205-999-9366). Or, provide a convenient time and I will call you (ted@bmwmoa.org). Either way, everyone wants the best solution for the forum and our members. Sometimes change is slower than we expect, but we do expect to make an upgrade soon.
Click to expand...

This is very helpful and greatly appreciated and is all I wanted to know, Ted. I sincerely thank you for clarifying. It appears that you have this in hand and are coordinating efforts for a fairly sizable upgrade to our entire IT structure.

The forum mod team might consider answering direct questions instead of telling people to stop asking. I'm still pissed about that. Having served as a moderator for 17 years not only here, but on a much, much larger forum with a half million members, and a much much smaller forum with a couple dozen members, I wouldn't ever think that telling a user to stop asking was an appropriate response to an earnest question.

Thanks again. I'll be looking forward to what happens next to increase our security, potentially drive engagement and continue to deliver a way for members to talk with each other.
 
t2moyer said:
We have looked at making upgrades to the forum software and evaluate our current platform regularly. The last time we discussed it with the vB resource who helps manage our forum installation, the decision was made to stick with vB4 vs. vB5. vB5 has numerous bugs and security issues and was generally not as good as vB4. We took that advice and stuck with the status quo.

As part of that conversation, the recommendation was made to move to XenForo, which the forum team supported and is waiting patiently to have installed. The hold-up is our current Member Management Software that administers usernames and passwords for the forum so that members enjoy single-site login (an issue we experienced previously if you were here for the change to new software in 2014 or so.) Our current MMS does not clearly integrate with XenForo and rather than waste a bunch of money to determine if we could find a patch, we decided to wait for a new Member Management System installation that we do know integrates with XenForo. The MMS project has not happened as fast as we originally thought and therefore the forum migration seems less timely than when we first considered making the change.

vB6 appears to have been released just recently (8/23) and I have not investigated vB6 as an alternative. I will look into it and see if that is a short-term alternative until we have the other projects resolved that allow a change to XenForo. Installing the new MMS is a current project for the latter half of this year and I expect it to be complete by Spring or sooner if it goes smoothly. If that is the case, the migration to XenForo is fairly quick.

You can direct your comments and feedback to me. The Forum team does not deserve the criticism. If you have deep experience in forums and want to discuss, give advice or generally help out, give me a call and we can discuss (205-999-9366). Or, provide a convenient time and I will call you (ted@bmwmoa.org). Either way, everyone wants the best solution for the forum and our members. Sometimes change is slower than we expect, but we do expect to make an upgrade soon.
Click to expand...

Thanks Ted. That is all I wanted/needed to know and allows me to decide if I want to renew my membership or not by the end of the month. You made one comment that I would like to respond to directly and will as you suggested.
 
kbasa said:
The forum mod team might consider answering direct questions instead of telling people to stop asking. I'm still pissed about that. Having served as a moderator for 17 years not only here, but on a much, much larger forum with a half million members, and a much much smaller forum with a couple dozen members, I wouldn't ever think that telling a user to stop asking was an appropriate response to an earnest question.
Click to expand...

Again, I think you can direct that to me. Since the forum relies on other systems that are outside the mod team's purview, I'm not sure that we have given them a better answer than "vB isn't the answer." Oddly enough I just got a reply from our tech resource who also said "vB6 isn't the answer, either." (I'll save for later what he really said about it!)

We're taking a look at some stopgap measures that may address all of it. In the meantime, visit the beer thread!
 
t2moyer said:
Again, I think you can direct that to me. Since the forum relies on other systems that are outside the mod team's purview, I'm not sure that we have given them a better answer than "vB isn't the answer." Oddly enough I just got a reply from our tech resource who also said "vB6 isn't the answer, either." (I'll save for later what he really said about it!)

We're taking a look at some stopgap measures that may address all of it. In the meantime, visit the beer thread!
Click to expand...

"Beer threads" are very hard to sew with.
 
You must log in or register to reply here.

Similar threads

mikegalbicka
PSA - USAA hack and security issues 2023/2024
Replies
0
Views
282
mikegalbicka
mikegalbicka
bigjohnsd
Armor/Impact Protection? The horns of a dilemma?
2 3
Replies
41
Views
1K
skibum69
skibum69
9
Another scam, by phone this time
Replies
4
Views
625
collingsbob
collingsbob
Omega Man
Dealership Tales- You Can Order It? So Can I!
2
Replies
35
Views
3K
gsinnc
gsinnc
bigjohnsd
118th Congress - H.R. 906 - Motor Vehicle - Right to Repair!
2
Replies
25
Views
2K
fbt80
fbt80
Back
Top